Seems like a surprisingly low random for a clever targeted attack on 4-star ho tel.
But perhaps that's why they went back for more.
A top Austrian hotel coughed up thousands in ransom to cybercrooks, who hacked its computer system and locked guests out of their rooms until the money was paid. The Romantik Seehotel Jaegerwirt went public with its problems as a warning to other hotels. This is the second time the four-star destination has been hit. The …
I guess they were trying to figure out how much they could extort before the hotel would simply bite the bullet and get the machines cleaned, etc. At €1,500 its probably worth a throw of that dice, at €15,000 probably not.
But they should be commended for going public - hopefully others will learn the lesson (repeated often enough here) to keep your critical systems off the network that has web/email access.
> Christoph Brandstaetter, said: "We are planning at the next room refurbishment for old-fashioned door locks with real keys. Just like 111 years ago at the time of our great-grandfathers."
So that should be secure for about a week until the local crims re-learn the art of old-style lock picking.
"So that should be secure for about a week until the local crims re-learn the art of old-style lock picking."
Depends. The times where you could easily create a copy using some clay are long behind us. And then there's the time spend in front of a door to actually get the copy: I'm pretty sure the hotel got camera's and such.
Then there's another problem: every serious hotel will also provide safety boxes in a room, usually providing plenty of space to keep your valuables in. So even if they do breach a door then there's still no guarantee that they'll stumble across something useful.
The days of clay copies are indeed long behind us, a simple photograph and a 3D printer is all you need these days.
And those safes in the room, even if they weren't next to useless security wise (default master codes) and far too small for anything else but a couple of passports and some jewelery, they are usually at additional cost, and most people don't bother.
"So that should be secure for about a week until the local crims re-learn the art of old-style lock picking."
Or the lost art of stealing or buying a master key from one of the staff. Even if there is no master key, they could still just use a simple bump key to get in... And if that fails, there is also the possibility of just renting a room, copying the key, then using it to break into room a few days later.
Physical keys are also highly susceptible to the birthday attack in that there is a very limit number of combinations that can be used and its quite likely that two or more rooms in even a modest sized hotel would share the same key pattern.
Magnetic key cards were created specifically to prevent such basic attacks. That and not having to pay a locksmith to re-key a room if someone leaves with the key.
Concur.
I know only a couple with decent systems and they were put in place only because they also rent out rooms on long term leases to various "interesting" people who are supposedly diplomats(*). As a "mere coincidence" the hotels in question are also run by the mob (they are in Eastern Europe).
Most are complete and utter crap - cards you can clone with a reader from Maplin, locks you can pawn in a minute or so, if you have suitable tools - you name it.
(*) While they do carry diplomatic passports, their activities are anything but diplomatic
Those locks and controllers are bound to be in thousands of hotels globally. Maybe they're just testing before automating the process to get some real cash rolling in.
I wouldn't be surprised at all to see a backlash against IOT eventually. But it's still building up before it crashes and burns.
It's not a "standalone unit"...
... because it has to be accessible from the reception (after all, it's them who are programming the key cards) and (for some system types) by every door lock.
And who said it was accesible from the internet? It might just have been infected when somebody from the reception (or office staff, ...) opened a booby-trapped email attachment.
BTW, after reading the referenced article, I'm not even sure that the crims explicitly targeted the keycard system. Disabling that might just have been a "lucky" side effect from encrypting all files, including the keycard database.
And finally, replacing the electronic locks with old-fashioned key locks will cost a fortune and will only solve a tiny part of the problem. Good luck when your reservation system or credit card terminal are hit. That's pretty much of a business showstopper too.
And who said it was accesible from the internet? It might just have been infected when somebody from the reception (or office staff, ...) opened a booby-trapped email attachment.
Directly or indirectly, it was accessible which is how it was pwned. In light of the countermeasures mentioned in the article, specifically decoupling networks, it seems pretty obvious this was the case when the attack too place and has since been remedied. Such a shame that this obvious step was taken only in response to an attack.
Hotels are notoriously lax when it comes to electronic security, but this has typically just been to the detriment of their customers. I would like to think they would step it up a notch in response to these sorts of attacks, but the past would seem to indicate the opposite to be true.